Moving folders into others is not logged. There are audit tools, but if you enable them, the volume of data generated will astound you. File operations happen far more often than expected and will fill any space you make available.
Easy way is look in the directory for any salvageable files. If the folder is not there, then you know it was moved. Then you have to find it, which is a pain but not that hard.
Last login is stored on the object as lastLogin I think in eDirectory.
Currently active users will have a value in Network Address. Including the source address (many protocols supported there, IP, IPX, DLC/LLC, and AppleTalk so the format is non-trivial, but ConsoleOne parses it properly)
Additional logging depends on what you need. For login/logout on Netware, the gold standard is still AuditLogin by Condrey Consulting and is fairly cheap and easy to use.
For more comprehensive, you can go as high as Sentinel for all sorts of things.
There are three levels of Sentinel, all using the same basic infrastructure. Sentinel is the full product with Correlation that is very powerful and way to hard to explain here.
Sentinel RD (Rapid Deploy) is more of a single server version, and a bit cheaper. Next releases will move to this approach, but making it easier to use a multi tiered setup, which is hard with the RD approach right now. Focused more on a single server instance.
Sentinel Log Manager is meant just to collect events and not do correlation nor a bunch of the fancier things that Sentinel full does.
They come in different event per second (eps) licenses. More expensive the more events you get. You can collect events from all sorts of devices.
Sentinel LM can filter and pass events up to Sentinel (full), to reduce and distribute the load better.
The new reporting in Novell's (NetIQ's now?) Identity Manager uses a sort of packaged Sentinel LM instance to collect events and can forward to other Sentinel systems as well.
